egress-demo / allowed

allowed - cli-guard examples/egress

NAME

allowed - dial a host that is on the allowlist

SYNOPSIS

allowed

DESCRIPTION

Dials https://example.com via the local CONNECT proxy with ModeEnforce and an allowlist of just {"example.com"}. Returns the HTTP response status from the dial plus the captured egress rows.

Examples:

egress-demo allowed
# proxy listening on 127.0.0.1:<port>
# response: 200 200 OK
# egress rows:
#   host=example.com:443                decision=allow  up=... down=... ms=...

The decision=allow row is what an auditor wants to see: the host was reached, the proxy let it through because it matched the allowlist, the size+duration of the CONNECT tunnel is recorded. Replays from this row alone can reconstruct what the child did at the network layer without needing the child's stdout.

Usage:

allowed [GLOBAL OPTIONS] [command [COMMAND OPTIONS]] [ARGUMENTS...]